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^^ . Abstract 

The use of quantum bits (qubits) in cryptography holds the promise of secure 
cryptographic quantum key distribution schemes. It is based usually on single-photon 
polarization states. Unfortunately, the implemented "qubits" in the usual weak pulse 
experiments are not true two-level systems, and quantum key distribution based on 
these imperfect qubits is totally insecure in the presence of high (realistic) loss rate. 
In this work, we investigate another potential implementation: qubits generated using 
a process of parametric downconversion. We find that, to first (two-photon) and second 
(four-photon) order in the parametric downconversion small parameter, this implemen- 
tation of quantum key distribution is equivalent to the theoretical version. 

Once realistic measurements are taken into account, quantum key distribution 
based on parametric downconversion suffers also from sensitivity to extremely high 
(nonrealistic) losses. By choosing the small parameter of the process according to the 
loss rates, both implementations of quantum key distribution can in principle become 
secure against the attack studied in this paper. However, adjusting the small parameter 
to the required levels seems to be impractical in the weak pulse process. On the other 
hand, this can easily be done in the parametric downconversion process, making it a 
much more promising implementation. 
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INTRODUCTION 

Quantum information theory suggests the possibihty to accomphsh tasks that 
are beyond the capabihty of classical computer science, such as information-secure 
cryptographic key distribution^. While theoretical quantum key distribution (qkd) 
schemes are proven secure against very sophisticated attacks^, the experimental qkd 
schemes are not yet proven secure even against very simple attacks. In this work, we 
analyse the effect of losses on the security of experimental quantum key distribution. 
We investigate a novel implementation, qubits produced by a process of parametric 
downconversion (PDC) , and we compare it to the more common implementation based 
on weak coherent pulses (wcp). 

A protocol is considered secure if the adversary is restricted only by the rules of 
quantum mechanics, and yet cannot obtain any information on the final key. In the 
four-state scheme^ usually referred to as BB84, the sender (Alice) and the receiver 
(Bob) use two conjugate bases (say, the rectilinear basis, +, and the diagonal basis, x) 
for the polarization of single photons. In basis + (resp. x), they use the two orthogonal 
basis states |0+) and |1+) (resp. |0x) and |lx)) to represent "0" and "1" respectively. 
The basis is revealed later on, which enables Bob to decode the bit whenever he 
used the same basis as Alice; otherwise, they throw the bit away. Finally, they use 
error-correction and privacy amplification to obtain a potentially secure final key^' ^. 

All the experiments done so far to demonstrate protocols for secure quantum key 
distribution use pulses of light containing (on average) much less than one photon. 
We approximate the state of the modified qubit created by this process to be in single 
mode, which we call a "weak coherent pulse" (wcp). [For an explanation regarding a 
description of a pulse, see Blow et al''.] We analyse the security of wcp-based schemes 
while paying special attention to the losses. The channel causes huge loss rate (whether 
a fiber, which causes attenuation, or free space, which causes beam broadening). In the 
experimental literature, it is usually assumed that the only effect of losses is to reduce 
the bit rate. We show that there are two different types of losses, channel losses and 
losses due to the state ("state losses"). The state losses have impact on the bit rate. 
The channel losses have a vital impact on security, in addition to their impact on the bit 
rate. A careful analysis of channel losses shows that schemes that were assumed secure 
are in fact totally insecure even against a simple intercept-resend attack. In intercept- 
resend attacks, an eavesdropper (Eve) performs a complete measurement on the input 
qubit, and she prepares and sends to Bob a state of her own, according to the outcome 
of her measurement. When Alice and Bob are using linearly independent states. Eve 
can sometimes get full information by performing a "positive operator value measure" 
(POVM) that conclusively distinguishes such states. This is fatal in presence of high 
channel losses between Alice and Bob because Eve can recreate the state near Bob and 
send it to him without loss whenever she measured it conclusively, whereas she forwards 
nothing to Bob otherwise! We shall refer to this attack as the conclusive-m,easurement 
attack. This was discussed when the two-state scheme^ was invented, and its power 
against the four-state scheme was realized by Yuen^. 

Recently, parametric downconversion has been used to generate a polarization 
singlet state^ to test Bell's inequalities, and it is believed that it can be used as a 
much better single-photon source for quantum key distribution. Here, we explain the 
potential experiment and we present the modified singlet state resulting from this PDC 
process. Then, we calculate the state sent to Bob, including two-photon and four- 
photon terms, assuming dispersion-free devices, no dark counts and perfect detectors. 
fA different use of a PDC for OKT) was nreviouslv suererested^. based on Franson-tvne 



uncertainties, but the polarization encoding we suggest here allows for a much simpler 
analysis] . 

We find that pdc-QKD is much more secure than wcp-QKD: The security of WCP- 
QKD is destroyed in the presence of high channel loss rate due to the linear independence 
obtained when adding the second-order terms. The crucial advantage of the pdc-QKD 
is that the second-order terms do not affect the fact that the states in one basis are 
linearly dependent on the states in the other basis. Thus, the attack that destroys the 
security of WCP-QKD in the presence of high losses has no impact on PDC-QKD (when 
second-order calculation and perfect detection are considered). 

When imperfections in the process are taken into account, this euphoric picture 
changes, and the second-order states sent to Bob are not linearly dependent anymore. 
Fortunately, pdc-QKD becomes totally insecure against the conclusive-measurement 
attack only in the presence of such extremely high loss rate that more serious practical 
problems would have already arisen, such as the importance of dark counts, or errors 
due to various inaccuracies in the devices. As we explain in the discussion, it is probably 
impossible to make the WCP implementation secure against the conclusive measurement 
attack, thus we suggest that the experimental effort should be directed towards the 
implementation of pdc-QKD. 

SECURITY OF WCP-BASED QKD 

Experimental QKD is mainly based on the use of weak pulses of coherent light. 
By definition, a pulse consists of a linear superposition of many frequency contributions, 
but the laser pulse itself can be considered to be in a single, localized mode provided 
that dispersion is not significant in any of the optical elements^. 

Using Fock state notation, |0, 0) denotes the vacuum state, and the state |n|, m^), 
which describes n photons with vertical polarization and m photons with horizon- 
tal polarization, is denoted more simply by \n,m). Ideally, the four BB84 states 
should be 1 1) = |0+) = |1,0) and | ^^) = |1+) = |0, 1) in the -|- basis, and 
|0x) = (1/V2)[|1,0) + |0,1)] and |lx) = (l/v^)[|l, 0) - |0, 1)] in the x basis. 

Consider now a weak coherent pulse with parameter a, meaning that a photon 
would be detected with probability a^ if the pulse were measured by a perfect detector. 
If this pulse is polarized in the -|- basis, the two states are simply, to second order in a, 

|0r)^(l-y)|0,0) + a|l,0) + ^|2,0) 
|ir)^(l-^)|0,0) + a|0,l) + ^|0,2). 

However, the two states in the x basis, when expressed as Fock states in terms of the 
-|- basis, are more complicated: 



|OrO ~ fl - ^V'O) + («/v^)f|l>0) + |0>1)1 + ^^f|2,0) + v^|l, 1) + |0,2) 
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|ir) ^ (l - y)|0,0) + (a/v^)[|l,0) - |0,1)] + ^[|2,0) - V2|l, 1) + |0,2) 

We call those four states the modified qubits. Note that they are not two-level systems 
anymore but six-level systems, or qu-hexits. 

If we considered only the first order in a, as is usually done, the four states would 
behave verv much like the ideal BB84 state.s leadiner us to the wrone" conclusion that the 



protocol is secure! However, when the second order is considered, the two states in one 
basis are no longer linear combinations of the two states in the other basis. As noted by 
Yuen^, this linear independence in the six-dimensional Hilbert space creates a fatal flaw 
for BB84 in the presence of high losses. These states can be distinguished conclusively 
by an appropriate POVM. Such measurement yields no information about the state 
most of the time, but sometimes it identifies it unambiguously. As explained in the 
introduction, this allows for a successful conclusive-measurement attack provided the 
loss rate expected by Alice and Bob is sufficiently high. To provide numerical analysis, 
one must find the states that form the POVM. This is a cumbersome calculation and we 
leave it for the final paper. However, it is clear that the success probability is of order a^ 
(relative to the one-photon counts). Therefore, with Eve getting a conclusive result with 
relative probability of order a^, and with o? = 0.1 as in the current experiments, it 
seems that a channel loss rate of 90%-95% is fatal. With current channel loss rates, 
there is no escape from decreasing a by more than one order of magnitude if reasonable 
security is to be achieved, and by more than two orders of magnitudes if we expect to 
have secure key distribution to distances required for practical purposes. 



CREATING A MODIFIED SINGLET STATE IN THE PROCESS OF PDC 

In this section, we present the parametric downconversion process and we give 
the output state to second order in the PDC parameter. The PDC process provides a 
source of photons for Bob and Alice with important advantages over the weak coherent 
pulse discussed in the previous section. A classical pump field with vertical polarization 
drives a PDC crystal below threshold, thereby producing photon pairs from a two-mode 
vacuum state input field |0, 0, 0, 0). The two output fields from the parametric downcon- 
verter are correlated in time of emission as well as polarization, and conservation laws 
apply to the sum of energies and momenta of the photons in the two fields. The quan- 
tum field input to the parametric downconverter is assumed to be in the vacuum state. 
We consider the field emitted by the PDC process and channeled through a polarization 
rotator and a beam splitter, which creates entanglement between them. One arm of 
the resulting output goes to Alice and the other arm goes to Bob. 

We denote by \ka^,la^,nb^,mb^), or more simply \k,l,n,m), the state in which 
there are k photons with vertical polarization and / photons with horizontal polarization 
going into Alice's arm "a", and n photons with vertical polarization and m photons 
with horizontal polarization going into Bob's arm "b". The PDC small parameter x, 
which is proportional to the strength of the pump field, the interaction time between 
the field and the crystal and the nonlinearity of the medium, is so that a photon pair 
would be detected with probability x^ if the output of the interaction were measured 
by perfect detectors. The state created by this process is an entangled state, and it 
is usually assumed to be a singlet \ip-) = (l/\/2)[|0, 1, 1,0) — |1,0,0, 1)], but we show 
in the final paper how to calculate it more precisely, to obtain the modified singlet 
\x) = IV^- ) to second order in x'- 

\X) = fl-^V'0'0'0) + ?f|0'l'l'0) + |l'l'0'0)-|0'0'l'l)-|l'0'0'l) 
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^0,2,2,0) + |2,2,0,0) + |0,0,2,2) + |2,0,0,2)-2|l,l,l,l) 



+ \/2|l, 0, 1, 2) - 7210, 1, 2, 1) + V2|l, 2, 1, 0) - v^|2, 1, 0, 1) 



CREATING A MODIFIED QUBIT IN A PDC PROCESS 

In order to use PDC for performing the BB84 four-state scheme, we need to consider 
the state sent from Ahce to Bob. This is produced by Ahce measuring her arm in a basis 
(+ or X ) of her choice and letting the other arm, which is the modified qubit, go to Bob 
through the quantum channel. More precisely, Alice directs her arm to an adjustable 
rotator (to choose the basis of measurement: angle for + and 7r/4 for x) followed by 
a polarization-dependent beam splitter that sends the horizontal mode to one direction 
and the vertical mode to another spatial direction. Each of these spatial modes is now 
subjected to a measurement, which in the limit of perfect efficiency provides an exact 
count of the number of photons that reached each detector. In this section, we analyse 
to orders x and x^ the modified qubit thus sent to Bob resulting from the modified 
singlet state. 

Considering \x) to order x a-^id perfect detectors (used by Alice), the modified 
singlet is projected to yield a perfect qubit that is sent towards Bob in one of the BB84 
states. With imperfect detection, but not allowing dark counts, Ahce might send the 
vacuum, while she thinks she sent a single photon, but this causes only state losses and 
it has no effect on security as far as we could see. 

When we consider \x) to order x^ a^iid perfect detectors, this process yields a 
modification of the four BB84 states, but surprisingly still results in a perfect BB84 
scheme! With perfect measurements, only the terms with exactly one photon at Alice's 
site will not be discarded, so that we need only consider the terms |[|0, 1,1,0) — 
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|1, 0,0,1)] and ^7=[|1, 0, 1, 2) — |0, 1,2,1)]. In case Alice decides to rotate her mode 
by angle 7r/4 in order to send Bob a qubit in the x basis, the above terms change 
to ^[|0, 1,1,0) + |1, 0,1,0) - |1, 0,0,1) + |0, 1,0,1)] and ^[|1,0,1,2) - |0,1,1,2) - 
|0,1,2,1)-|1,0,2,1)]. 

With ideal detectors and Alice measuring without rotation, the state of Eq. |l| is 
projected onto |0, 1) or |1,0) (in Alice's arm), yielding respectively 

2 

|0f^) ^ ^|i,o)-^|2,l) 

2 

I + / 2' ' / 2v^' ' 

(since Alice used the + basis). When Alice uses the x basis, the rotated terms (calcu- 
lated as before) provide the relevant contribution, yielding 
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\pdc\ X. 



2v^ 

X 



OD ~ -> |1,0) + |0,1) -^ |1,2) + |2,1) 



X 



2^2 



in^r^ |1,0)-|0,1) +^ |1,2)-|2,1) 



X 
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The modified qubit is not a two-level system but a four- level system. Yet, all four 
states lie in a two-level system spanned by any two of them. Furthermore, they satisfy 
the same conditions as the theoretical BB84 states; each one in the x basis is an equal 
superposition of the states in the + basis. Thus, all theoretical security analyses apply 
to these states. 

DISCUSSION 

We have seen that pdc-QKD has a crucial advantage over wcp-QKD due to the 
fact that the four states created in the Pnc nrocess are enuivalent to the theoretical 



states. However, the calculation so far assumed that Alice uses perfect measuring 
devices. A calculation taking account of realistic measurements will contain also other 
corrections. Then the states will be linearly independent, so that Eve can find a POVM 
to distinguish between them conclusively. 

Nevertheless, let us show a vital advantage of the more realistic pdc-QKD over 
WCP-QKD. Even though both schemes are insecure in principle in the presence of high 
channel losses, the use of PDC as a source of qubits is potentially much preferable: 
For PDC qubits, the controlled parameter x is usually smaller than 10~^, thus the 
probability of having more than one photon is 10~^, conditional to having at least one 
photon, and seems to be negligible when the channel losses are 99% or even much 
more. Furthermore, the small parameter can be easily further decreased according 
to the loss rate to potentially solve the problem, perhaps while increasing the pulse 
frequency to keep the same bit rate. In WCP, the corresponding parameter a is usually 
around 0.3. Unfortunately, this parameter cannot be adjusted so easily because it plays 
a dual role. Decreasing it immediately increases the state losses, which are 1 — a^. 
Although these are state losses and not channel losses — hence we didn't see any effect 
of these losses on security — they are crucial in this implementation: with much smaller 
a it is impossible to achieve any reasonable bit rate since the state loss rate is 1 — a^. 
Increasing the number of pulses to overcome this problem is not an appropriate solution 
since Alice needs to write down the polarization of the states in all pulses, and change 
the polarization for each one. 

Another important advantage of pdc-QKD is that it solves a problem usually left 
unnoticed: Eve can attack WCP-QKD by eavesdropping into Alice's lab; this can be done 
by finding the setting of Alice's polarizers using a strong pulse sent to, and reflected 
from the polarizers^ in between Alice's pulses. We are not aware of any such attack 
that can be used against the PDC-QKD implementation. 

Our work is only an initial step. Analysis of more realistic scenarios and of other 
attacks might show that pdc-QKD is not as superior to WCP-QKD as this preliminary 
study indicates. 
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